Cybercriminals Hijack Legitimate Websites in New Wave of Deceptive Phishing Attacks

[Date: November 2, 2025] – A sophisticated surge in phishing attacks is underway, with cybercriminals increasingly exploiting trusted communication channels – legitimate websites and compromised email accounts – to bypass security measures and deceive unsuspecting individuals and organizations. This isn’t your grandfather’s phishing scam; it’s a cunning evolution that’s proving remarkably difficult to detect, and it’s happening now.

From Business Email Compromise to Complete Business Compromise

For years, KnowBe4’s Threat Lab has tracked the rise of Business Email Compromise (BEC) attacks, where criminals impersonate individuals within a company to trick employees into transferring funds or divulging sensitive information. But the threat has escalated. According to the latest report, BEC is rapidly evolving into what KnowBe4 terms “Complete Business Compromise” (CBC). These CBC attacks are broader in scope, impacting more systems, and significantly harder to identify.

The numbers are alarming. KnowBe4 Defend™ data reveals a nearly 35% increase in phishing attacks originating from compromised accounts between 2024 and 2025, with a staggering 59.1% of all detected phishing attacks now stemming from legitimate, hijacked accounts. This means traditional security filters – those looking for suspicious domains or sender names – are becoming increasingly ineffective.

The “Contact Us” Form as a Weapon

What’s particularly concerning is a newly observed tactic: attackers are leveraging the very forms designed to help customers – contact forms and appointment requests on company websites. They’re submitting these forms using a free “onmicrosoft” account, masquerading as well-known brands like banks or payment services. When the form is submitted, the website automatically generates a legitimate-looking confirmation email, complete with the company’s real domain, effectively bypassing authentication checks. This email is then forwarded to hundreds or even thousands of recipients.

This isn’t just about technical trickery; it’s masterful social engineering. The emails often contain manipulative content, like fabricated financial emergencies (a fake PayPal transaction, for example), and prominently display a phone number. Victims who call the number are connected directly to the attackers, who then use emotionally charged conversations to extract personal or financial details.

Who’s at Risk? Trust is the Vulnerability

Organizations in sectors where trust is paramount – finance, law, healthcare, and insurance – are particularly vulnerable. The inherent trust placed in these industries makes employees and customers more susceptible to these attacks. The KnowBe4 Threat Lab predicts this trend will continue to accelerate, as these tactics require neither direct access to email accounts nor the deployment of malware.

Evergreen Insight: The shift towards exploiting legitimate systems represents a fundamental change in the cyber threat landscape. For decades, cybersecurity has focused on blocking malicious actors from entering systems. Now, the battleground is shifting to identifying and mitigating threats that are already inside the perimeter. This requires a proactive, rather than reactive, approach.

The “Zero Trust” Solution and Beyond

KnowBe4 recommends adopting a “zero trust” security model. This means verifying every incoming message, regardless of the sender, domain, or authentication results. Coupled with real-time threat intelligence and comprehensive employee training in recognizing social engineering tactics, organizations can significantly reduce their risk.

Practical Tip: Be skeptical of any unsolicited communication, even if it appears to come from a trusted source. Verify requests through a separate communication channel (e.g., a phone call to a known number) before taking any action. Hover over links to check the actual destination URL before clicking.

The evolving sophistication of these attacks underscores a critical truth: cybersecurity is no longer solely a technical challenge. It’s a human challenge. Protecting your organization requires a holistic approach that combines robust technology with a well-trained, vigilant workforce. Staying informed about the latest threats and proactively implementing security measures is no longer optional – it’s essential for survival in today’s digital world.

Further Reading:

• KnowBe4 Human Risk Management Blog
• KnowBe4 Threat Lab
• datensicherheit.de: Email Threat Landscape Report

Image Placeholder: A visual representation of a phishing attack or cybersecurity threat.